OAIC Clarifies ID Document Retention: Destroy or De-Identify as Soon as Practicable

The Office of the Australian Information Commissioner (OAIC) has recently updated its guidance on the retention of identity (ID) documents collected after 31 March 2026, providing greater clarity on what is expected of reporting entities during the current AML/CTF transition period.

While many organisations have historically retained copies of ID documents as part of their customer due diligence processes, the OAIC has now made it clear that this approach is no longer acceptable under the new AML/CTF laws where it results in unnecessary or prolonged retention of personal information.

Importantly, the guidance reinforces a simple but often overlooked principle: just because you have done something in the past, doesn’t mean you can do it in the future.

What has actually changed?

At its core, the update is sharpening expectations around existing privacy principles.

The OAIC has reinforced that entities must not retain copies of ID documents collected after 31 March 2026 for longer than is reasonably necessary. This applies even in circumstances where organisations are navigating transitional AML/CTF requirements or relying on legacy systems.

In practical terms, this means entities need to actively assess the retention of full ID documents, rather than defaulting to historical practices.

From passive retention to active management

One of the more significant shifts in the guidance is the move away from passive retention toward active management of ID data.

Entities are expected to take deliberate steps to either destroy or de-identify ID documents collected under post 31 March 2026 transitional AML/CTF arrangements once they are no longer required. This is not a “set and forget” exercise. It requires ongoing review, clear ownership and a defined process.

The OAIC has also made it clear that operational inconvenience, including reliance on legacy systems, is not a sufficient justification for continued retention.

What does this mean in practice?

For many organisations, particularly those in financial services, this guidance will require a rethink of how ID documents are handled across their lifecycle.

At a minimum, entities should be able to demonstrate that, for IDs collected post 31 March 2026:

• they are committed to destroy or de-identify copies of ID documents;

• they have implementation procedures to ensure full copies of ID documents are not retained for longer than needed; and

• they have considered and mitigated the privacy risks for individuals.

Where immediate destruction is not feasible, the OAIC expects entities to have a documented plan in place.

This plan should outline why documents cannot yet be destroyed, what steps are being taken to address the issue, and a reasonable timeframe for resolution.

Governance expectations are increasing

The guidance also places a stronger emphasis on governance and oversight.

Senior management should have visibility over how ID documents are being retained and managed, particularly where there are known gaps or transitional arrangements in place.

Why this matters now

For many organisations, this guidance will challenge long-standing practices that have developed over time, driven by compliance with previous AML/CTF obligations.

As the new AML/CTF laws are now in force, the OAIC has made it clear that privacy obligations cannot be sidelined during transition periods.

Retaining full ID documents “just in case” is no longer a defensible position. Entities that want to retain full ID documents collected post 31 March 2026, they will need to be able to clearly articulate what legal obligation exists requiring them to hold those full ID documents, for how long, and what steps are being taken to reduce privacy risk.

A shift toward defensible decision-making

In light of the changes in AML/CTF legislation, organisations are expected to move away from blanket retention practices and toward a more considered, compliant approach that takes into account the OAIC’s guidance. One that balances regulatory obligations with privacy principles and is supported by clear documentation and oversight.

For compliance teams, this is an opportunity to revisit existing processes and ensure they can stand up to scrutiny if challenged.

Ready to Strengthen Your Oversight Framework?

If your firm is refining its approach to governance, now is the time to ensure your processes are not just compliant, but defensible and scalable.

Book a 15-minute call to see how 3Lines can help.